<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Servlet Authentication Architecture :: Spring Security</title>
<link rel="canonical" href="../../../servlet/authentication/architecture.html">
<link rel="prev" href="index.html">
<link rel="next" href="passwords/index.html">
<meta name="generator" content="Antora 3.0.0">
<link rel="stylesheet" href="../../../_/css/site.css">
<link href="../../../_/img/favicon.ico" rel='shortcut icon' type='image/vnd.microsoft.icon'>
<link rel="stylesheet" href="../../../_/css/vendor/docsearch.min.css">

<script>var uiRootPath = '../../../_'</script>
</head>
<body class="article">
<header class="header">
<nav class="navbar">
<div class="navbar-brand">
<a class="navbar-item" href="https://spring.io">
<img id="springlogo" class="block" src="../../../_/img/spring-logo.svg" alt="Spring">
</a>
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="architecture.html#">Why Spring</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/why-spring">Overview</a>
<a class="navbar-item" href="https://spring.io/microservices">Microservices</a>
<a class="navbar-item" href="https://spring.io/reactive">Reactive</a>
<a class="navbar-item" href="https://spring.io/event-driven">Event Driven</a>
<a class="navbar-item" href="https://spring.io/cloud">Cloud</a>
<a class="navbar-item" href="https://spring.io/web-applications">Web Applications</a>
<a class="navbar-item" href="https://spring.io/serverless">Serverless</a>
<a class="navbar-item" href="https://spring.io/batch">Batch</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="architecture.html#">Learn</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/learn">Overview</a>
<a class="navbar-item" href="https://spring.io/quickstart">Quickstart</a>
<a class="navbar-item" href="https://spring.io/guides">Guides</a>
<a class="navbar-item" href="https://spring.io/blog">Blog</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="architecture.html#">Projects</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/projects">Overview</a>
<a class="navbar-item" href="https://spring.io/projects/spring-boot">Spring Boot</a>
<a class="navbar-item" href="https://spring.io/projects/spring-framework">Spring Framework</a>
<a class="navbar-item" href="https://spring.io/projects/spring-cloud">Spring Cloud</a>
<a class="navbar-item" href="https://spring.io/projects/spring-cloud-dataflow">Spring Cloud Data Flow</a>
<a class="navbar-item" href="https://spring.io/projects/spring-data">Spring Data</a>
<a class="navbar-item" href="https://spring.io/projects/spring-integration">Spring Integration</a>
<a class="navbar-item" href="https://spring.io/projects/spring-batch">Spring Batch</a>
<a class="navbar-item" href="https://spring.io/projects/spring-security">Spring Security</a>
<a class="navbar-item navbar-item-special" href="https://spring.io/projects">View all projects</a>
<a class="navbar-item" href="https://spring.io/tools">Spring Tools 4</a>
<a class="navbar-item navbar-item-special-2" href="https://start.spring.io">Spring Initializr <svg class="external-link-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><polyline points="15 10.94 15 15 1 15 1 1 5.06 1" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></polyline><polyline points="8.93 1 15 1 15 7.07" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></polyline><line x1="15" y1="1" x2="8" y2="8" fill="none" stroke="currentColor" stroke-miterlimit="10" stroke-width="2"></line></svg></a>
</div>
</div>
<a class="navbar-item" href="https://spring.io/training">Training</a>
<a class="navbar-item" href="https://spring.io/support">Support</a>
<div class="navbar-item has-dropdown is-hoverable is-community">
<a class="navbar-link" href="architecture.html#">Community</a>
<div class="navbar-dropdown">
<a class="navbar-item" href="https://spring.io/community">Overview</a>
<a class="navbar-item" href="https://spring.io/events">Events</a>
<a class="navbar-item" href="https://spring.io/team">Team</a>
</div>
</div>
</div>
</div>
<div id="switch-theme">
<input type="checkbox" id="switch-theme-checkbox" />
<label for="switch-theme-checkbox">Dark Theme</label>
</div>
</nav>
</header>
<div class="body">
<div class="nav-container" data-component="ROOT" data-version="5.6.4">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<h3 class="title"><a href="../../index.html">Spring Security</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../index.html">Overview</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../prerequisites.html">Prerequisites</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../community.html">Community</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../whats-new.html">What&#8217;s New</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../getting-spring-security.html">Getting Spring Security</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../features/index.html">Features</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../features/authentication/index.html">Authentication</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/authentication/password-storage.html">Password Storage</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../features/exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/exploits/csrf.html">CSRF</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/exploits/headers.html">HTTP Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/exploits/http.html">HTTP Requests</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../features/integrations/index.html">Integrations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/integrations/cryptography.html">Cryptography</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/integrations/data.html">Spring Data</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/integrations/concurrency.html">Java&#8217;s Concurrency APIs</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/integrations/jackson.html">Jackson</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../features/integrations/localization.html">Localization</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../modules.html">Project Modules</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../samples.html">Samples</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../index.html">Servlet Applications</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../getting-started.html">Getting Started</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../architecture.html">Architecture</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="index.html">Authentication</a>
<ul class="nav-list">
<li class="nav-item is-current-page" data-depth="3">
<a class="nav-link" href="architecture.html">Authentication Architecture</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="passwords/index.html">Username/Password</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="passwords/input.html">Reading Username/Password</a>
<ul class="nav-list">
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/form.html">Form</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/basic.html">Basic</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/digest.html">Digest</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="4">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="passwords/storage.html">Password Storage</a>
<ul class="nav-list">
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/in-memory.html">In Memory</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/jdbc.html">JDBC</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/user-details.html">UserDetails</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/user-details-service.html">UserDetailsService</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/password-encoder.html">PasswordEncoder</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/dao-authentication-provider.html">DaoAuthenticationProvider</a>
</li>
<li class="nav-item" data-depth="5">
<a class="nav-link" href="passwords/ldap.html">LDAP</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="session-management.html">Session Management</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="rememberme.html">Remember Me</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="openid.html">OpenID</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="anonymous.html">Anonymous</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="preauth.html">Pre-Authentication</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="jaas.html">JAAS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="cas.html">CAS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="x509.html">X509</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="runas.html">Run-As</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="logout.html">Logout</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="events.html">Authentication Events</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../authorization/index.html">Authorization</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../authorization/architecture.html">Authorization Architecture</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../authorization/authorize-http-requests.html">Authorize HTTP Requests</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../authorization/authorize-requests.html">Authorize HTTP Requests with FilterSecurityInterceptor</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../authorization/expression-based.html">Expression-Based Access Control</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../authorization/secure-objects.html">Secure Object Implementations</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../authorization/method-security.html">Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../authorization/acls.html">Domain Object Security ACLs</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../oauth2/index.html">OAuth2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../oauth2/login/index.html">OAuth2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/login/core.html">Core Configuration</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/login/advanced.html">Advanced Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../oauth2/client/index.html">OAuth2 Client</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/client/core.html">Core Interfaces and Classes</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/client/authorization-grants.html">OAuth2 Authorization Grants</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/client/client-authentication.html">OAuth2 Client Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/client/authorized-clients.html">OAuth2 Authorized Clients</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../oauth2/resource-server/index.html">OAuth2 Resource Server</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/resource-server/jwt.html">JWT</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/resource-server/opaque-token.html">Opaque Token</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/resource-server/multitenancy.html">Multitenancy</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../oauth2/resource-server/bearer-tokens.html">Bearer Tokens</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../saml2/index.html">SAML2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../saml2/login/index.html">SAML2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../saml2/login/overview.html">SAML2 Log In Overview</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../saml2/login/authentication-requests.html">SAML2 Authentication Requests</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../saml2/login/authentication.html">SAML2 Authentication Responses</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../saml2/logout.html">SAML2 Logout</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../saml2/metadata.html">SAML2 Metadata</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../exploits/csrf.html">Cross Site Request Forgery (CSRF) for Servlet Environments</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../exploits/headers.html">Security HTTP Response Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../exploits/http.html">HTTP</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../exploits/firewall.html">HttpFirewall</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../integrations/index.html">Integrations</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/concurrency.html">Concurrency</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/jackson.html">Jackson</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/localization.html">Localization</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/servlet-api.html">Servlet APIs</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/data.html">Spring Data</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/mvc.html">Spring MVC</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/websocket.html">WebSocket</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/cors.html">Spring&#8217;s CORS Support</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../integrations/jsp-taglibs.html">JSP Taglib</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Configuration</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuration/java.html">Java Configuration</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuration/kotlin.html">Kotlin Configuration</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../configuration/xml-namespace.html">Namespace Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../test/index.html">Testing</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../test/method.html">Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../test/mockmvc/index.html">MockMvc Support</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../test/mockmvc/setup.html">MockMvc Setup</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../test/mockmvc/request-post-processors.html">Security RequestPostProcessors</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../test/mockmvc/authentication.html">Mocking Users</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../test/mockmvc/csrf.html">Mocking CSRF</a>
 </li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../test/mockmvc/form-login.html">Mocking Form Login</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../test/mockmvc/http-basic.html">Mocking HTTP Basic</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../test/mockmvc/oauth2.html">Mocking OAuth2</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../test/mockmvc/logout.html">Mocking Logout</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../test/mockmvc/request-builders.html">Security RequestBuilders</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../test/mockmvc/result-matchers.html">Security ResultMatchers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../test/mockmvc/result-handlers.html">Security ResultHandlers</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../appendix/index.html">Appendix</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../appendix/database-schema.html">Database Schemas</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../appendix/namespace/index.html">XML Namespace</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../appendix/namespace/authentication-manager.html">Authentication Services</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../appendix/namespace/http.html">Web Security</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../appendix/namespace/method-security.html">Method Security</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../appendix/namespace/ldap.html">LDAP Security</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../appendix/namespace/websocket.html">WebSocket Security</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../appendix/faq.html">FAQ</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/index.html">Reactive Applications</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../reactive/getting-started.html">Getting Started</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Authentication</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/authentication/x509.html">X.509 Authentication</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/authentication/logout.html">Logout</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Authorization</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/authorization/authorize-http-requests.html">Authorize HTTP Requests</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/authorization/method.html">EnableReactiveMethodSecurity</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/oauth2/index.html">OAuth2</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/oauth2/login/index.html">OAuth2 Log In</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/login/core.html">Core Configuration</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/login/advanced.html">Advanced Configuration</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/oauth2/client/index.html">OAuth2 Client</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/client/core.html">Core Interfaces and Classes</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/client/authorization-grants.html">OAuth2 Authorization Grants</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/client/client-authentication.html">OAuth2 Client Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/client/authorized-clients.html">OAuth2 Authorized Clients</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/oauth2/resource-server/index.html">OAuth2 Resource Server</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/resource-server/jwt.html">JWT</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/resource-server/opaque-token.html">Opaque Token</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/resource-server/multitenancy.html">Multitenancy</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/oauth2/resource-server/bearer-tokens.html">Bearer Tokens</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/exploits/index.html">Protection Against Exploits</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/exploits/csrf.html">CSRF</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/exploits/headers.html">Headers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/exploits/http.html">HTTP Requests</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<span class="nav-text">Integrations</span>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/integrations/cors.html">CORS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/integrations/rsocket.html">RSocket</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/test/index.html">Testing</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../reactive/test/method.html">Testing Method Security</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../reactive/test/web/index.html">Testing Web Security</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/test/web/setup.html">WebTestClient Setup</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/test/web/authentication.html">Testing Authentication</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/test/web/csrf.html">Testing CSRF</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../../reactive/test/web/oauth2.html">Testing OAuth 2.0</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../reactive/configuration/webflux.html">WebFlux Security</a>
</li>
</ul>
 </li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">Spring Security</span>
<span class="version">5.6.4-SNAPSHOT</span>
</div>
<ul class="components">
<li class="component is-current">
<a class="title" href="../../../index.html">Spring Security</a>
<ul class="versions">
<li class="version">
<a href="../../../6.0/index.html">6.0.0-SNAPSHOT</a>
</li>
<li class="version">
<a href="../../../6.0.0-M3/index.html">6.0.0-M3</a>
</li>
<li class="version">
<a href="../../../6.0.0-M2/index.html">6.0.0-M2</a>
</li>
<li class="version">
<a href="../../../6.0.0-M1/index.html">6.0.0-M1</a>
</li>
<li class="version">
<a href="../../../5.7/index.html">5.7.0-SNAPSHOT</a>
</li>
<li class="version">
<a href="../../../5.7.0-RC1/index.html">5.7.0-RC1</a>
</li>
<li class="version">
<a href="../../../5.7.0-M3/index.html">5.7.0-M3</a>
</li>
<li class="version">
<a href="../../../5.7.0-M2/index.html">5.7.0-M2</a>
</li>
<li class="version">
<a href="../../../5.7.0-M1/index.html">5.7.0-M1</a>
</li>
<li class="version is-current">
<a href="../../index.html">5.6.4-SNAPSHOT</a>
</li>
<li class="version is-latest">
<a href="../../../index.html">5.6.3</a>
</li>
<li class="version">
<a href="../../../5.6.2/index.html">5.6.2</a>
</li>
<li class="version">
<a href="../../../5.6.1/index.html">5.6.1</a>
</li>
<li class="version">
<a href="../../../5.6.0/index.html">5.6.0</a>
</li>
<li class="version">
<a href="../../../5.6.0-RC1/index.html">5.6.0-RC1</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="../../index.html">Spring Security</a></li>
<li><a href="../index.html">Servlet Applications</a></li>
<li><a href="index.html">Authentication</a></li>
<li><a href="architecture.html">Authentication Architecture</a></li>
</ul>
</nav>
<div class="search">
<input id="search-input" type="text" placeholder="Search docs">
</div>
<div class="page-versions">
<button class="version-menu-toggle" title="Show other versions of page">5.6.4-SNAPSHOT</button>
<div class="version-menu">
<a class="version" href="../../../6.0/servlet/authentication/architecture.html">6.0.0-SNAPSHOT</a>
<a class="version" href="../../../6.0.0-M3/servlet/authentication/architecture.html">6.0.0-M3</a>
<a class="version" href="../../../6.0.0-M2/servlet/authentication/architecture.html">6.0.0-M2</a>
<a class="version" href="../../../6.0.0-M1/servlet/authentication/architecture.html">6.0.0-M1</a>
<a class="version" href="../../../5.7/servlet/authentication/architecture.html">5.7.0-SNAPSHOT</a>
<a class="version" href="../../../5.7.0-RC1/servlet/authentication/architecture.html">5.7.0-RC1</a>
<a class="version" href="../../../5.7.0-M3/servlet/authentication/architecture.html">5.7.0-M3</a>
<a class="version" href="../../../5.7.0-M2/servlet/authentication/architecture.html">5.7.0-M2</a>
<a class="version" href="../../../5.7.0-M1/servlet/authentication/architecture.html">5.7.0-M1</a>
<a class="version is-current" href="architecture.html">5.6.4-SNAPSHOT</a>
<a class="version" href="../../../servlet/authentication/architecture.html">5.6.3</a>
<a class="version" href="../../../5.6.2/servlet/authentication/architecture.html">5.6.2</a>
<a class="version" href="../../../5.6.1/servlet/authentication/architecture.html">5.6.1</a>
<a class="version" href="../../../5.6.0/servlet/authentication/architecture.html">5.6.0</a>
<a class="version" href="../../../5.6.0-RC1/servlet/authentication/architecture.html">5.6.0-RC1</a>
</div>
</div>
<div class="edit-this-page"><a href="https://github.com/spring-projects/spring-security/edit/5.6.x/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc">Edit this Page</a></div>
</div>
<div class="content">
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
<article class="doc">
<div class="admonitionblock important">
<table>
<tbody><tr>
<td class="icon">
<i class="fa icon-important" title="Important"></i>
</td>
<td class="content">
<div class="paragraph">
<p>This version is still in development and is not considered stable yet. For the latest stable version, please use <a href="../../../servlet/authentication/architecture.html">Spring Security 5.6.3</a>!</p>
</div>
</td>
</tr></tbody>
</table>
</div>
<h1 id="page-title" class="page">Servlet Authentication Architecture</h1>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This discussion expands on <a href="../architecture.html#servlet-architecture" class="xref page">Servlet Security: The Big Picture</a> to describe the main architectural components of Spring Security&#8217;s used in Servlet authentication.
If you need concrete flows that explain how these pieces fit together, look at the <a href="index.html#servlet-authentication-mechanisms" class="xref page">Authentication Mechanism</a> specific sections.</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="architecture.html#servlet-authentication-securitycontextholder">SecurityContextHolder</a> - The <code>SecurityContextHolder</code> is where Spring Security stores the details of who is <a href="../../features/authentication/index.html#authentication" class="xref page">authenticated</a>.</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-securitycontext">SecurityContext</a> - is obtained from the <code>SecurityContextHolder</code> and contains the <code>Authentication</code> of the currently authenticated user.</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-authentication">Authentication</a> - Can be the input to <code>AuthenticationManager</code> to provide the credentials a user has provided to authenticate or the current user from the <code>SecurityContext</code>.</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-granted-authority">GrantedAuthority</a> - An authority that is granted to the principal on the <code>Authentication</code> (i.e. roles, scopes, etc.)</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-authenticationmanager">AuthenticationManager</a> - the API that defines how Spring Security&#8217;s Filters perform <a href="../../features/authentication/index.html#authentication" class="xref page">authentication</a>.</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-providermanager">ProviderManager</a> - the most common implementation of <code>AuthenticationManager</code>.</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-authenticationprovider">AuthenticationProvider</a> - used by <code>ProviderManager</code> to perform a specific type of authentication.</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-authenticationentrypoint">Request Credentials with <code>AuthenticationEntryPoint</code></a> - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a <code>WWW-Authenticate</code> response, etc.)</p>
</li>
<li>
<p><a href="architecture.html#servlet-authentication-abstractprocessingfilter">AbstractAuthenticationProcessingFilter</a> - a base <code>Filter</code> used for authentication.
This also gives a good idea of the high level flow of authentication and how pieces work together.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-securitycontextholder"><a class="anchor" href="architecture.html#servlet-authentication-securitycontextholder"></a>SecurityContextHolder</h2>
<div class="sectionbody">
<div class="paragraph">
<p>At the heart of Spring Security&#8217;s authentication model is the <code>SecurityContextHolder</code>.
It contains the <a href="architecture.html#servlet-authentication-securitycontext">SecurityContext</a>.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../../_images/servlet/authentication/architecture/securitycontextholder.png" alt="securitycontextholder">
</div>
</div>
<div class="paragraph">
<p>The <code>SecurityContextHolder</code> is where Spring Security stores the details of who is <a href="../../features/authentication/index.html#authentication" class="xref page">authenticated</a>.
Spring Security does not care how the <code>SecurityContextHolder</code> is populated.
If it contains a value, then it is used as the currently authenticated user.</p>
</div>
<div class="paragraph">
<p>The simplest way to indicate a user is authenticated is to set the <code>SecurityContextHolder</code> directly.</p>
</div>
<div class="exampleblock">
<div class="title">Example 1. Setting <code>SecurityContextHolder</code></div>
<div class="content">
<div class="listingblock primary">
<div class="title">Java</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-java hljs" data-lang="java">SecurityContext context = SecurityContextHolder.createEmptyContext(); <i class="conum" data-value="1"></i><b>(1)</b>
Authentication authentication =
    new TestingAuthenticationToken("username", "password", "ROLE_USER"); <i class="conum" data-value="2"></i><b>(2)</b>
context.setAuthentication(authentication);

SecurityContextHolder.setContext(context); <i class="conum" data-value="3"></i><b>(3)</b></code></pre>
</div>
</div>
<div class="listingblock secondary">
<div class="title">Kotlin</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-kotlin hljs" data-lang="kotlin">val context: SecurityContext = SecurityContextHolder.createEmptyContext() <i class="conum" data-value="1"></i><b>(1)</b>
val authentication: Authentication = TestingAuthenticationToken("username", "password", "ROLE_USER") <i class="conum" data-value="2"></i><b>(2)</b>
context.authentication = authentication

SecurityContextHolder.setContext(context) <i class="conum" data-value="3"></i><b>(3)</b></code></pre>
</div>
</div>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>We start by creating an empty <code>SecurityContext</code>.
It is important to create a new <code>SecurityContext</code> instance instead of using <code>SecurityContextHolder.getContext().setAuthentication(authentication)</code> to avoid race conditions across multiple threads.</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td>Next we create a new <a href="architecture.html#servlet-authentication-authentication"><code>Authentication</code></a> object.
Spring Security does not care what type of <code>Authentication</code> implementation is set on the <code>SecurityContext</code>.
Here we use <code>TestingAuthenticationToken</code> because it is very simple.
A more common production scenario is <code>UsernamePasswordAuthenticationToken(userDetails, password, authorities)</code>.</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>Finally, we set the <code>SecurityContext</code> on the <code>SecurityContextHolder</code>.
Spring Security will use this information for <a href="../authorization/index.html#servlet-authorization" class="xref page">authorization</a>.</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>If you wish to obtain information about the authenticated principal, you can do so by accessing the <code>SecurityContextHolder</code>.</p>
</div>
<div class="exampleblock">
<div class="title">Example 2. Access Currently Authenticated User</div>
<div class="content">
<div class="listingblock primary">
<div class="title">Java</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-java hljs" data-lang="java">SecurityContext context = SecurityContextHolder.getContext();
Authentication authentication = context.getAuthentication();
String username = authentication.getName();
Object principal = authentication.getPrincipal();
Collection&lt;? extends GrantedAuthority&gt; authorities = authentication.getAuthorities();</code></pre>
</div>
</div>
<div class="listingblock secondary">
<div class="title">Kotlin</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-kotlin hljs" data-lang="kotlin">val context = SecurityContextHolder.getContext()
val authentication = context.authentication
val username = authentication.name
val principal = authentication.principal
val authorities = authentication.authorities</code></pre>
</div>
</div>
</div>
</div>
<div class="paragraph">
<p>By default the <code>SecurityContextHolder</code> uses a <code>ThreadLocal</code> to store these details, which means that the <code>SecurityContext</code> is always available to methods in the same thread, even if the <code>SecurityContext</code> is not explicitly passed around as an argument to those methods.
Using a <code>ThreadLocal</code> in this way is quite safe if care is taken to clear the thread after the present principal&#8217;s request is processed.
Spring Security&#8217;s <a href="../architecture.html#servlet-filterchainproxy" class="xref page">FilterChainProxy</a> ensures that the <code>SecurityContext</code> is always cleared.</p>
</div>
<div class="paragraph">
<p>Some applications aren&#8217;t entirely suitable for using a <code>ThreadLocal</code>, because of the specific way they work with threads.
For example, a Swing client might want all threads in a Java Virtual Machine to use the same security context.
<code>SecurityContextHolder</code> can be configured with a strategy on startup to specify how you would like the context to be stored.
For a standalone application you would use the <code>SecurityContextHolder.MODE_GLOBAL</code> strategy.
Other applications might want to have threads spawned by the secure thread also assume the same security identity.
This is achieved by using <code>SecurityContextHolder.MODE_INHERITABLETHREADLOCAL</code>.
You can change the mode from the default <code>SecurityContextHolder.MODE_THREADLOCAL</code> in two ways.
The first is to set a system property, the second is to call a static method on <code>SecurityContextHolder</code>.
Most applications won&#8217;t need to change from the default, but if you do, take a look at the Javadoc for <code>SecurityContextHolder</code> to learn more.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-securitycontext"><a class="anchor" href="architecture.html#servlet-authentication-securitycontext"></a>SecurityContext</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/core/context/SecurityContext.html"><code>SecurityContext</code></a> is obtained from the <a href="architecture.html#servlet-authentication-securitycontextholder">SecurityContextHolder</a>.
The <code>SecurityContext</code> contains an <a href="architecture.html#servlet-authentication-authentication">Authentication</a> object.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-authentication"><a class="anchor" href="architecture.html#servlet-authentication-authentication"></a>Authentication</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/core/Authentication.html"><code>Authentication</code></a> serves two main purposes within Spring Security:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>An input to <a href="architecture.html#servlet-authentication-authenticationmanager"><code>AuthenticationManager</code></a> to provide the credentials a user has provided to authenticate.
When used in this scenario, <code>isAuthenticated()</code> returns <code>false</code>.</p>
</li>
<li>
<p>Represents the currently authenticated user.
The current <code>Authentication</code> can be obtained from the <a href="architecture.html#servlet-authentication-securitycontext">SecurityContext</a>.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The <code>Authentication</code> contains:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>principal</code> - identifies the user.
When authenticating with a username/password this is often an instance of <a href="passwords/user-details.html#servlet-authentication-userdetails" class="xref page"><code>UserDetails</code></a>.</p>
</li>
<li>
<p><code>credentials</code> - often a password.
In many cases this will be cleared after the user is authenticated to ensure it is not leaked.</p>
</li>
<li>
<p><code>authorities</code> - the <a href="architecture.html#servlet-authentication-granted-authority"><code>GrantedAuthority</code>s</a> are high level permissions the user is granted.
A few examples are roles or scopes.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-granted-authority"><a class="anchor" href="architecture.html#servlet-authentication-granted-authority"></a>GrantedAuthority</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/core/GrantedAuthority.html"><code>GrantedAuthority</code>s</a> are high level permissions the user is granted. A few examples are roles or scopes.</p>
</div>
<div class="paragraph">
<p><code>GrantedAuthority</code>s can be obtained from the <a href="architecture.html#servlet-authentication-authentication"><code>Authentication.getAuthorities()</code></a> method.
This method provides a <code>Collection</code> of <code>GrantedAuthority</code> objects.
A <code>GrantedAuthority</code> is, not surprisingly, an authority that is granted to the principal.
Such authorities are usually "roles", such as <code>ROLE_ADMINISTRATOR</code> or <code>ROLE_HR_SUPERVISOR</code>.
These roles are later on configured for web authorization, method authorization and domain object authorization.
Other parts of Spring Security are capable of interpreting these authorities, and expect them to be present.
When using username/password based authentication <code>GrantedAuthority</code>s are usually loaded by the <a href="passwords/user-details-service.html#servlet-authentication-userdetailsservice" class="xref page"><code>UserDetailsService</code></a>.</p>
</div>
<div class="paragraph">
<p>Usually the <code>GrantedAuthority</code> objects are application-wide permissions.
They are not specific to a given domain object.
Thus, you wouldn&#8217;t likely have a <code>GrantedAuthority</code> to represent a permission to <code>Employee</code> object number 54, because if there are thousands of such authorities you would quickly run out of memory (or, at the very least, cause the application to take a long time to authenticate a user).
Of course, Spring Security is expressly designed to handle this common requirement, but you&#8217;d instead use the project&#8217;s domain object security capabilities for this purpose.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-authenticationmanager"><a class="anchor" href="architecture.html#servlet-authentication-authenticationmanager"></a>AuthenticationManager</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/authentication/AuthenticationManager.html"><code>AuthenticationManager</code></a> is the API that defines how Spring Security&#8217;s Filters perform <a href="../../features/authentication/index.html#authentication" class="xref page">authentication</a>.
The <a href="architecture.html#servlet-authentication-authentication"><code>Authentication</code></a> that is returned is then set on the <a href="architecture.html#servlet-authentication-securitycontextholder">SecurityContextHolder</a> by the controller (i.e. <a href="../architecture.html#servlet-security-filters" class="xref page">Spring Security&#8217;s <code>Filters</code>s</a>) that invoked the <code>AuthenticationManager</code>.
If you are not integrating with <em>Spring Security&#8217;s <code>Filters</code>s</em> you can set the <code>SecurityContextHolder</code> directly and are not required to use an <code>AuthenticationManager</code>.</p>
</div>
<div class="paragraph">
<p>While the implementation of <code>AuthenticationManager</code> could be anything, the most common implementation is <a href="architecture.html#servlet-authentication-providermanager"><code>ProviderManager</code></a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-providermanager"><a class="anchor" href="architecture.html#servlet-authentication-providermanager"></a>ProviderManager</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/authentication/ProviderManager.html"><code>ProviderManager</code></a> is the most commonly used implementation of <a href="architecture.html#servlet-authentication-authenticationmanager"><code>AuthenticationManager</code></a>.
<code>ProviderManager</code> delegates to a <code>List</code> of <a href="architecture.html#servlet-authentication-authenticationprovider"><code>AuthenticationProvider</code>s</a>.
Each <code>AuthenticationProvider</code> has an opportunity to indicate that authentication should be successful, fail, or indicate it cannot make a decision and allow a downstream <code>AuthenticationProvider</code> to decide.
If none of the configured <code>AuthenticationProvider</code>s can authenticate, then authentication will fail with a <code>ProviderNotFoundException</code> which is a special <code>AuthenticationException</code> that indicates the <code>ProviderManager</code> was not configured to support the type of <code>Authentication</code> that was passed into it.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../../_images/servlet/authentication/architecture/providermanager.png" alt="providermanager">
</div>
</div>
<div class="paragraph">
<p>In practice each <code>AuthenticationProvider</code> knows how to perform a specific type of authentication.
For example, one <code>AuthenticationProvider</code> might be able to validate a username/password, while another might be able to authenticate a SAML assertion.
This allows each <code>AuthenticationProvider</code> to do a very specific type of authentication, while supporting multiple types of authentication and only exposing a single <code>AuthenticationManager</code> bean.</p>
</div>
<div class="paragraph">
<p><code>ProviderManager</code> also allows configuring an optional parent <code>AuthenticationManager</code> which is consulted in the event that no <code>AuthenticationProvider</code> can perform authentication.
The parent can be any type of <code>AuthenticationManager</code>, but it is often an instance of <code>ProviderManager</code>.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../../_images/servlet/authentication/architecture/providermanager-parent.png" alt="providermanager parent">
</div>
</div>
<div class="paragraph">
<p>In fact, multiple <code>ProviderManager</code> instances might share the same parent <code>AuthenticationManager</code>.
This is somewhat common in scenarios where there are multiple <a href="../architecture.html#servlet-securityfilterchain" class="xref page"><code>SecurityFilterChain</code></a> instances that have some authentication in common (the shared parent <code>AuthenticationManager</code>), but also different authentication mechanisms (the different <code>ProviderManager</code> instances).</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../../_images/servlet/authentication/architecture/providermanagers-parent.png" alt="providermanagers parent">
</div>
</div>
<div id="servlet-authentication-providermanager-erasing-credentials" class="paragraph">
<p>By default <code>ProviderManager</code> will attempt to clear any sensitive credentials information from the <code>Authentication</code> object which is returned by a successful authentication request.
This prevents information like passwords being retained longer than necessary in the <code>HttpSession</code>.</p>
</div>
<div class="paragraph">
<p>This may cause issues when you are using a cache of user objects, for example, to improve performance in a stateless application.
If the <code>Authentication</code> contains a reference to an object in the cache (such as a <code>UserDetails</code> instance) and this has its credentials removed, then it will no longer be possible to authenticate against the cached value.
You need to take this into account if you are using a cache.
An obvious solution is to make a copy of the object first, either in the cache implementation or in the <code>AuthenticationProvider</code> which creates the returned <code>Authentication</code> object.
Alternatively, you can disable the <code>eraseCredentialsAfterAuthentication</code> property on <code>ProviderManager</code>.
See the <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/authentication/ProviderManager.html">Javadoc</a> for more information.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-authenticationprovider"><a class="anchor" href="architecture.html#servlet-authentication-authenticationprovider"></a>AuthenticationProvider</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Multiple <a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/authentication/AuthenticationProvider.html"><code>AuthenticationProvider</code>s</a> can be injected into <a href="architecture.html#servlet-authentication-providermanager"><code>ProviderManager</code></a>.
Each <code>AuthenticationProvider</code> performs a specific type of authentication.
For example, <a href="passwords/dao-authentication-provider.html#servlet-authentication-daoauthenticationprovider" class="xref page"><code>DaoAuthenticationProvider</code></a> supports username/password based authentication while <code>JwtAuthenticationProvider</code> supports authenticating a JWT token.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-authenticationentrypoint"><a class="anchor" href="architecture.html#servlet-authentication-authenticationentrypoint"></a>Request Credentials with <code>AuthenticationEntryPoint</code></h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/AuthenticationEntryPoint.html"><code>AuthenticationEntryPoint</code></a> is used to send an HTTP response that requests credentials from a client.</p>
</div>
<div class="paragraph">
<p>Sometimes a client will proactively include credentials such as a username/password to request a resource.
In these cases, Spring Security does not need to provide an HTTP response that requests credentials from the client since they are already included.</p>
</div>
<div class="paragraph">
<p>In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access.
In this case, an implementation of <code>AuthenticationEntryPoint</code> is used to request credentials from the client.
The <code>AuthenticationEntryPoint</code> implementation might perform a <a href="passwords/form.html#servlet-authentication-form" class="xref page">redirect to a log in page</a>, respond with an <a href="passwords/basic.html#servlet-authentication-basic" class="xref page">WWW-Authenticate</a> header, etc.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="servlet-authentication-abstractprocessingfilter"><a class="anchor" href="architecture.html#servlet-authentication-abstractprocessingfilter"></a>AbstractAuthenticationProcessingFilter</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html"><code>AbstractAuthenticationProcessingFilter</code></a> is used as a base <code>Filter</code> for authenticating a user&#8217;s credentials.
Before the credentials can be authenticated, Spring Security typically requests the credentials using <a href="architecture.html#servlet-authentication-authenticationentrypoint"><code>AuthenticationEntryPoint</code></a>.</p>
</div>
<div class="paragraph">
<p>Next, the <code>AbstractAuthenticationProcessingFilter</code> can authenticate any authentication requests that are submitted to it.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../../_images/servlet/authentication/architecture/abstractauthenticationprocessingfilter.png" alt="abstractauthenticationprocessingfilter">
</div>
</div>
<div class="paragraph">
<p><span class="image"><img src="../../_images/icons/number_1.png" alt="number 1"></span> When the user submits their credentials, the <code>AbstractAuthenticationProcessingFilter</code> creates an <a href="architecture.html#servlet-authentication-authentication"><code>Authentication</code></a> from the <code>HttpServletRequest</code> to be authenticated.
The type of <code>Authentication</code> created depends on the subclass of <code>AbstractAuthenticationProcessingFilter</code>.
For example, <a href="passwords/form.html#servlet-authentication-usernamepasswordauthenticationfilter" class="xref page"><code>UsernamePasswordAuthenticationFilter</code></a> creates a <code>UsernamePasswordAuthenticationToken</code> from a <em>username</em> and <em>password</em> that are submitted in the <code>HttpServletRequest</code>.</p>
</div>
<div class="paragraph">
<p><span class="image"><img src="../../_images/icons/number_2.png" alt="number 2"></span> Next, the <a href="architecture.html#servlet-authentication-authentication"><code>Authentication</code></a> is passed into the <a href="architecture.html#servlet-authentication-authenticationmanager"><code>AuthenticationManager</code></a> to be authenticated.</p>
</div>
<div class="paragraph">
<p><span class="image"><img src="../../_images/icons/number_3.png" alt="number 3"></span> If authentication fails, then <em>Failure</em></p>
</div>
<div class="ulist">
<ul>
<li>
<p>The <a href="architecture.html#servlet-authentication-securitycontextholder">SecurityContextHolder</a> is cleared out.</p>
</li>
<li>
<p><code>RememberMeServices.loginFail</code> is invoked.
If remember me is not configured, this is a no-op.</p>
</li>
<li>
<p><code>AuthenticationFailureHandler</code> is invoked.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><span class="image"><img src="../../_images/icons/number_4.png" alt="number 4"></span> If authentication is successful, then <em>Success</em>.</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>SessionAuthenticationStrategy</code> is notified of a new log in.</p>
</li>
<li>
<p>The <a href="architecture.html#servlet-authentication-authentication">Authentication</a> is set on the <a href="architecture.html#servlet-authentication-securitycontextholder">SecurityContextHolder</a>.
Later the <code>SecurityContextPersistenceFilter</code> saves the <code>SecurityContext</code> to the <code>HttpSession</code>.</p>
</li>
<li>
<p><code>RememberMeServices.loginSuccess</code> is invoked.
If remember me is not configured, this is a no-op.</p>
</li>
<li>
<p><code>ApplicationEventPublisher</code> publishes an <code>InteractiveAuthenticationSuccessEvent</code>.</p>
</li>
<li>
<p><code>AuthenticationSuccessHandler</code> is invoked.</p>
</li>
</ul>
</div>
</div>
</div>
<nav class="pagination">
<span class="prev"><a href="index.html">Authentication</a></span>
<span class="next"><a href="passwords/index.html">Username/Password</a></span>
</nav>
</article>
</div>
</main>
</div>
<footer class="footer flex">
<div id="spring-links flex">
<img id="springlogo" src="../../../_/img/spring-logo.svg" alt="Spring">
<p class="smallest antialiased">© <script>var d = new Date();
        document.write(d.getFullYear());</script> <a href="https://www.vmware.com/">VMware</a>, Inc. or its affiliates. <a href="https://www.vmware.com/help/legal.html">Terms of Use</a> • <a href="https://www.vmware.com/help/privacy.html" rel="noopener noreferrer">Privacy</a> • <a href="https://spring.io/trademarks">Trademark Guidelines</a> <span id="thank-you-mobile">• <a href="https://spring.io/thank-you">Thank you</a></span> • <a href="https://www.vmware.com/help/privacy/california-privacy-rights.html">Your California Privacy Rights</a> • <a class="ot-sdk-show-settings">Cookie Settings</a> <span id="teconsent"></span></p>
<p class="smallest antialiased">Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra&trade;, and Apache Geode&trade; are trademarks or registered trademarks of the Apache Software Foundation in the United States and/or other countries. Java&trade;, Java&trade; SE, Java&trade; EE, and OpenJDK&trade; are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered trademark of the Linux Foundation in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Windows® and Microsoft® Azure are registered trademarks of Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks and copyrights are property of their respective owners and are only mentioned for informative purposes. Other names may be trademarks of their respective owners.</p>
</div>
<div id="social-icons" class="flex jc-between">
<a href="https://www.youtube.com/user/SpringSourceDev" title="Youtube"><svg id="youtube-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 40 40"><circle class="cls-1" cx="20" cy="20" r="20" /><path class="cls-2" d="M30.91,14.53a2.89,2.89,0,0,0-2-2C27.12,12,20,12,20,12s-7.12,0-8.9.47a2.9,2.9,0,0,0-2,2A30.56,30.56,0,0,0,8.63,20a30.44,30.44,0,0,0,.46,5.47,2.89,2.89,0,0,0,2,2C12.9,28,20,28,20,28s7.12,0,8.9-.47a2.87,2.87,0,0,0,2-2A30.56,30.56,0,0,0,31.37,20,28.88,28.88,0,0,0,30.91,14.53ZM17.73,23.41V16.59L23.65,20Z" /></svg></a>
<a href="https://github.com/spring-projects" title="Github"><svg id="github-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 75.93 75.93"><path class="cls-1" d="M38,0a38,38,0,1,0,38,38A38,38,0,0,0,38,0Z" /></g><path class="cls-2" d="M38,15.59A22.95,22.95,0,0,0,30.71,60.3c1.15.21,1.57-.5,1.57-1.11s0-2,0-3.9c-6.38,1.39-7.73-3.07-7.73-3.07A6.09,6.09,0,0,0,22,48.86c-2.09-1.42.15-1.39.15-1.39a4.81,4.81,0,0,1,3.52,2.36c2,3.5,5.37,2.49,6.67,1.91a4.87,4.87,0,0,1,1.46-3.07c-5.09-.58-10.45-2.55-10.45-11.34a8.84,8.84,0,0,1,2.36-6.15,8.29,8.29,0,0,1,.23-6.07s1.92-.62,6.3,2.35a21.82,21.82,0,0,1,11.49,0c4.38-3,6.3-2.35,6.3-2.35a8.29,8.29,0,0,1,.23,6.07,8.84,8.84,0,0,1,2.36,6.15c0,8.81-5.37,10.75-10.48,11.32a5.46,5.46,0,0,1,1.56,4.25c0,3.07,0,5.54,0,6.29s.42,1.33,1.58,1.1A22.94,22.94,0,0,0,38,15.59Z" /></svg></a>
<a href="https://twitter.com/springcentral" title="Twitter"><svg id="twitter-icon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 75.93 75.93"><circle class="cls-1" cx="37.97" cy="37.97" r="37.97" /><path id="Twitter-2" data-name="Twitter" class="cls-2" d="M55.2,22.73a15.43,15.43,0,0,1-4.88,1.91,7.56,7.56,0,0,0-5.61-2.49A7.78,7.78,0,0,0,37,30a7.56,7.56,0,0,0,.2,1.79,21.63,21.63,0,0,1-15.84-8.23,8,8,0,0,0,2.37,10.52,7.66,7.66,0,0,1-3.48-1v.09A7.84,7.84,0,0,0,26.45,41a7.54,7.54,0,0,1-2,.28A7.64,7.64,0,0,1,23,41.09a7.71,7.71,0,0,0,7.18,5.47,15.21,15.21,0,0,1-9.55,3.37,15.78,15.78,0,0,1-1.83-.11,21.41,21.41,0,0,0,11.78,3.54c14.13,0,21.86-12,21.86-22.42,0-.34,0-.68,0-1a15.67,15.67,0,0,0,3.83-4.08,14.9,14.9,0,0,1-4.41,1.24A7.8,7.8,0,0,0,55.2,22.73Z" /></svg></a>
</div>
</footer>
<script src="../../../_/js/site.js"></script>
<script async src="../../../_/js/vendor/highlight.js"></script>
<script async src="../../../_/js/vendor/tabs.js"></script>
<script src="../../../_/js/vendor/switchtheme.js"></script>
<script src="../../../_/js/vendor/docsearch.min.js"></script>

<script>
var search = docsearch({
  appId: '244V8V9FGG',
  apiKey: '82c7ead946afbac3cf98c32446154691',
  indexName: 'security-docs',
  inputSelector: '#search-input',
  autocompleteOptions: { hint: false, keyboardShortcuts: ['s'] },
  algoliaOptions: { hitsPerPage: 10 }
}).autocomplete
search.on('autocomplete:closed', function () { search.autocomplete.setVal() })
</script>
<script>if (window.parent == window) {(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create', 'UA-2728886-23', 'auto', {'siteSpeedSampleRate': 100});ga('send', 'pageview');}</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"702d39c14b5797ee","token":"bffcb8a918ae4755926f76178bfbd26b","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
